diff options
| author | Nick Mathewson <nickm@torproject.org> | 2012-03-30 15:20:06 -0400 |
|---|---|---|
| committer | Nick Mathewson <nickm@torproject.org> | 2012-03-30 15:20:06 -0400 |
| commit | 5193752ca88849878a0843cec1e81c6b4b05e550 (patch) | |
| tree | 2e2de92d708917b628795cf35232ffedb7dc1617 | |
| parent | 458718d4975661831fa21d9f2653932e17c1bae0 (diff) | |
| download | tor-5193752ca88849878a0843cec1e81c6b4b05e550.tar.gz tor-5193752ca88849878a0843cec1e81c6b4b05e550.zip | |
Exits don't need to fetch certs for unknown authorities
When we started RefuseUnknownExits back in 0.2.2.11-alpha, we
started making exits act like they cache directory info (since they
need an up-to-date idea of who is really a router). But this
included fetching needless (unrecognized) authorities' certs, which
doesn't make any sense for them.
This is related to, but not necessarily the same as, the issue that
Ian reported for bug #2297.
(This patch is based on a patch from a user who I believe has asked
not to be named. If I'm wrong about that, please add the
appropriate name onto the changelog.)
| -rw-r--r-- | changes/bug2297-related | 6 | ||||
| -rw-r--r-- | src/or/dirserv.c | 9 | ||||
| -rw-r--r-- | src/or/dirserv.h | 1 | ||||
| -rw-r--r-- | src/or/routerlist.c | 4 |
4 files changed, 18 insertions, 2 deletions
diff --git a/changes/bug2297-related b/changes/bug2297-related new file mode 100644 index 0000000000..3d9af110f3 --- /dev/null +++ b/changes/bug2297-related @@ -0,0 +1,6 @@ + o Minor bugfixes: + - Exit nodes don't need to fetch certificates for authorities that + they don't recognize; only directory authorities, bridges, and + caches need to do that. Fix related to bug 2297; bugfix on + 0.2.2.11-alpha. + diff --git a/src/or/dirserv.c b/src/or/dirserv.c index 11f235caf4..898d9f4826 100644 --- a/src/or/dirserv.c +++ b/src/or/dirserv.c @@ -1252,6 +1252,15 @@ directory_caches_v2_dir_info(const or_options_t *options) return options->DirPort != NULL; } +/** Return true iff we want to fetch and keep certificates for authorities + * that we don't acknowledge as aurthorities ourself. + */ +int +directory_caches_unknown_auth_certs(const or_options_t *options) +{ + return options->DirPort || options->BridgeRelay; +} + /** Return 1 if we want to keep descriptors, networkstatuses, etc around * and we're willing to serve them to others. Else return 0. */ diff --git a/src/or/dirserv.h b/src/or/dirserv.h index fc48e489e8..3ff08157e0 100644 --- a/src/or/dirserv.h +++ b/src/or/dirserv.h @@ -76,6 +76,7 @@ int directory_fetches_dir_info_early(const or_options_t *options); int directory_fetches_dir_info_later(const or_options_t *options); int directory_caches_v2_dir_info(const or_options_t *options); #define directory_caches_v1_dir_info(o) directory_caches_v2_dir_info(o) +int directory_caches_unknown_auth_certs(const or_options_t *options); int directory_caches_dir_info(const or_options_t *options); int directory_permits_begindir_requests(const or_options_t *options); int directory_permits_controller_requests(const or_options_t *options); diff --git a/src/or/routerlist.c b/src/or/routerlist.c index 160f340dcf..f549549bf4 100644 --- a/src/or/routerlist.c +++ b/src/or/routerlist.c @@ -229,7 +229,7 @@ trusted_dirs_load_certs_from_string(const char *contents, int from_store, "signing key %s", from_store ? "cached" : "downloaded", ds->nickname, hex_str(cert->signing_key_digest,DIGEST_LEN)); } else { - int adding = directory_caches_dir_info(get_options()); + int adding = directory_caches_unknown_auth_certs(get_options()); log_info(LD_DIR, "%s %s certificate for unrecognized directory " "authority with signing key %s", adding ? "Adding" : "Not adding", @@ -480,7 +480,7 @@ authority_certs_fetch_missing(networkstatus_t *status, time_t now) smartlist_t *missing_digests; char *resource = NULL; cert_list_t *cl; - const int cache = directory_caches_dir_info(get_options()); + const int cache = directory_caches_unknown_auth_certs(get_options()); if (should_delay_dir_fetches(get_options())) return; |